The Contrast Security AppSec Intelligence Report has uncovered some major revelations from hacking data, including that a large number of real-world application attacks in September originated from the UK.
Key observations from the research revealed that:
- Obvious vulnerabilities from across applications were Cross-Site Scripting, XML External Entity Injection, and Cross-Site Request Forgery.
- There was a 40% increase in total attacks in September, compared to August.
- 99% of attacks were probes that did not connect with a corresponding vulnerability within the target application. This is a worrying piece of data that means security teams can’t distinguish between ineffective and effective attacks.
- The most common attack types were SQL Injection, Cross-Site Scripting (XSS), and Path Traversal.
What and where
Further looking into the report, it was found in September that in custom code vulnerabilities, applications had an average of six open and serious exposures.
In terms of the top vulnerabilities by language, injection vulnerabilities dominated Cross-Site Scripting was the most prevalent in Java applications, with it being in the top three weaknesses for .NET and Node applications. SQL Injection.
Despite attacks happening in 119 countries across the globe, the largest number of attacks were originating in the US, India, the Netherlands, Canada, and the UK.
Custom code vulnerabilities
The research found the most serious vulnerabilities found in custom code last month to be:
- Cross-Site Scripting (XSS): Vulnerabilities that occur when untrusted data ends up an HTML page without proper validation and escaping
- XML External Entity Injection: Vulnerabilities exist when external entities are processed during XML
- Cross-Site Request Forgery: Vulnerabilities that allow a malicious actor to force a user to complete unwanted commands
- Path Traversal: A vulnerability that allows users to control which files are opened and read by an application
- SQL Injection: Vulnerabilities exists anytime a developer takes untrusted data (like something you submit in a URL or a web form) and concatenates it into a database query
Custom code attacks
As part of the discovery, it was found that there were three primary types of attacks in September. The first of these was SQL injection, a carefully crafted input that changes the SQL queries that application uses so the attacker can steal data or execute code. This was represented in 42% of attacks and was down 13% from August.
The second most common was cross-site Scripting (XSS). This type of infiltration injects malicious scripts into benign and trusted websites and the report shows it targeted 55% of applications.
Path Traversal was conveyed to be the third most common type of attack which works by fooling a web application into exposing details. This represented 3% of all attacks in September, down from 17% of attacks in August
During the recorded month, 87% of applications were targeted by one of these three types of attacks. The majority of incidents (50%) targeted Command Injection vulnerabilities, though these attacks only targeted 32% of applications.